[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Oct 2013 19:23:28 -0500 (CDT)
From: security curmudgeon <jericho@...rition.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple
vulnerabilities
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 01 Oct 2013 10:07:22 -0600
Please use CVE-2013-4395 for the XSS vuln.
--
Which XSS vuln? =) That thread was messy, but Henri and others appear to
have identified and/or confirmed four different ones:
/Sources/ManageServer.php Multiple XSS
http://seclists.org/oss-sec/2013/q3/607
http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_2.0.5.tar.gz;smf_version=2.0.4
http://www.simplemachines.org/community/index.php?topic=509417
http://seclists.org/oss-sec/2013/q3/642
index.php admin Action board_name Parameter Stored XSS
http://seclists.org/oss-sec/2013/q3/642
http://hauntit.blogspot.co.uk/2013/04/en-smf-204-full-disclosure.html
index.php pm Action sa Parameter Stored XSS
http://hauntit.blogspot.co.uk/2013/04/en-smf-204-full-disclosure.html
http://seclists.org/oss-sec/2013/q3/642
index.php admin Action desc Parameter Stored XSS
http://seclists.org/oss-sec/2013/q3/642
That is what I took away from the entire thread at least. Can someone
confirm this is correct, and can you confirm the CVE assignment please
Kurt?
Brian
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
